Javascript 使用凭据进行跨域 jQuery ajax 调用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13954080/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross domain jQuery ajax call with credentials
提问by Rick Hoving
I've followed the following steps:
我遵循了以下步骤:
- Get the server to allow cross domain calls (with all the headers and stuff) This works
- Test the server with some cross domain calls This works
- Get the server to force a certificate This works
- Go to a file on the server with a browser, choose the right certificate and see the file Still works
Now we get to the nice part - Combine the cross domain calls with the certificate <-- this does not work
- 让服务器允许跨域调用(包含所有标题和内容)这有效
- 测试服务器与一些跨域调用此作品
- 获取服务器强制证书 这有效
- 使用浏览器转到服务器上的文件,选择正确的证书并查看该文件仍然有效
现在我们到了不错的部分 - 将跨域调用与证书结合起来<-- 这不起作用
Problem
问题
I am getting the certificate request from the browser, but when I select the same certificate as I do when using the browser, the call is made but I get a 403 Forbidden.
我正在从浏览器获取证书请求,但是当我选择与使用浏览器时相同的证书时,进行了调用但我收到了 403 Forbidden。
Code
代码
$.ajax({
type: "POST",
xhrFields: {withCredentials: true},
dataType: "xml",
contentType: "text/xml; charset=\"utf-8\"",
url: "https://www.myOtherServer.com/testfile.asp",
});
Any ideas?
有任何想法吗?
Edit
编辑
The Access-Control-Allow-Credentials: trueand the Access-Control-Allow-Originare properly configured.
在Access-Control-Allow-Credentials: true与Access-Control-Allow-Origin配置是否正确。
Additional information
附加信息
I'm starting to think that it has something to do with the content type. When I change it to "text/html"I get a 415error, but I do really need to send xml because it is a SOAP server.
我开始认为它与内容类型有关。当我将其更改"text/html"为415错误时,但我确实需要发送 xml,因为它是一个 SOAP 服务器。
Response headers
响应头
Access-Control-Allow-Cred... true
Access-Control-Allow-Head... Content-Type, Origin, Man, Messagetype, Soapaction, X-Test-Header
Access-Control-Allow-Meth... GET,POST,HEAD,DELETE,PUT,OPTIONS
Access-Control-Allow-Orig... https://www.mywebsite.com
Access-Control-Max-Age 1800
Cache-Control private
Content-Length 5561
Content-Type text/html; charset=utf-8
Date Wed, 19 Dec 2012 15:06:46 GMT
Server Microsoft-IIS/7.5
X-Powered-By ASP.NET
Request headers
请求头
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language nl,en-us;q=0.7,en;q=0.3
Access-Control-Request-He... content-type
Access-Control-Request-Me... POST
Cache-Control no-cache
Connection keep-alive
Host myhoast.com
Origin https://www.mywebsite.com
Pragma no-cache
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
采纳答案by Emily
My best guess is that this is a problem not with your Javascript but with your CORS configuration. Did you set up your server with the Access-Control-Allow-Credentials: trueheader? http://www.w3.org/TR/cors/#access-control-allow-credentials-response-header
我最好的猜测是,这不是您的 Javascript 的问题,而是您的 CORS 配置的问题。您是否使用Access-Control-Allow-Credentials: true标头设置了服务器?http://www.w3.org/TR/cors/#access-control-allow-credentials-response-header
Also note that, even when the allow-credentials header is set, the browser will not allow responses to credentialed requests if Access-Control-Allow-Originis *, according to these docs: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials.
另请注意Access-Control-Allow-Origin,根据这些文档,即使设置了 allow-credentials 标头,如果是 *,浏览器也将不允许响应凭据请求:https: //developer.mozilla.org/en-US/docs/HTTP/ Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials。
Edit: Since the OP has the CORS headers set up properly, the problem seems to be that the server is rejecting OPTIONS requests with a 403 status code. OPTIONS requests (known as the "preflight request") are sent before certain cross-domain requests (such as POSTs with application/xml content types), to allow the server to notify the browser of what types of requests are allowed. Since the browser doesn't see the 200 response that it expects from the OPTIONS request, it doesn't fire the actual POST request.
编辑:由于 OP 的 CORS 标头设置正确,问题似乎是服务器拒绝带有 403 状态代码的 OPTIONS 请求。OPTIONS 请求(称为“预检请求”)在某些跨域请求(例如具有 application/xml 内容类型的 POST)之前发送,以允许服务器通知浏览器允许哪些类型的请求。由于浏览器看不到 OPTIONS 请求所期望的 200 响应,因此它不会触发实际的 POST 请求。
回答by Mubin
basicly we just have to write on htaccess
基本上我们只需要在 htaccess 上写
Header set Access-Control-Allow-Origin “*”
but when we need cookie etc, we had to add script on your ajax code and htaccess
但是当我们需要 cookie 等时,我们必须在您的 ajax 代码和 htaccess 上添加脚本
i write about cross domain XHR on my blog, http://blog.imammubin.com/cross-domain-xhr/2014/05/28/
我在我的博客上写了关于跨域 XHR 的文章,http://blog.imammubin.com/cross-domain-xhr/2014/05/28/
hope this help..
希望这有帮助..
